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[57] ABSTRACT 

A system and method provide transparent access from any 
system entry service to multiple account management 
services, and particularly to multiple authentication services 
on a computer system, supporting unified login and logout. 
Transparency between system entry services and account 
management services, including authentication, password, 
account, and session services, is provided by an application 
programming interface and a configuration file. The con- 
figuration file stores associations between system entry 
services, and selected account management services, and 
allows an individual system entry service to be associated 
with multiple different ones of a given type of account 
management service, such as authentication services. The 
application programming interface determines dynamically 
in response to a request by a system entry service for an 
account management operation, such as authentication of a 
user, which account management service is associated with 
the system entry service by reading the configuration file and 
queuing pathnames stored therein of the account manage- 
ment services associated with the system entry service 
currently connecting user to the system. The application 
programming interface then invokes the queued pathnames 
for the desired operation. Multiple login is provided by 
encrypting authentication tokens used by the authentication 
services associated with a given system entry service with a 
primary authentication token of one of the authentication 
services, and subsequently decrypting the encrypted tokens 
as needed to authenticate the user. With unified login, the 
user need only provide the primary authentication token. 
Unified logout is provided by locating and destroying cre- 
dentials of the user created by the multiple authentication 
services in response to a request of the valid user to logout. 

26 Claims, 6 Drawing Sheets 
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PLUGGABLE ACCOUNT MANAGEMENT of independence further hampers the adaptability of the 

INTERFACE WITH UNIFIED LOGIN AND computer system, and increases the difficulty of system 

LOGOUT AND MULTIPLE USER maintenance. These problems also apply to the other aspects 

AUTHENTICATION SERVICES °^ lne account management system, such as the session, 

5 password, and account components that separately admin- 

B ACKGROUND ister these aspects of the user's interaction with the computer 

1. Field of the Invention system. 

„ . „ , , For any computer security system to be successful, it must 

lne invention relates generally to methods and systems be easy tQ ^ However, in conventional systems where 

for managing user access to networked computers, and more multiple authentication services are used to authenticate the 

particularly, to methods and systems that support the use of user, me user mus t typically remember or provide an authen- 

user authentication, account, password, and session man- tication token, for each authentication system. Authentica- 

agement services. tion tokens include password, public keys, private keys, 

2. Background of the Invention smart card personal identification numbers, biometric data 
Many computer systems, particularly networked com- sucn ™ retinal fingerprints, voiceprint, and the like. 

puter systems supporting many users, generally employ ^ requirement typically makes it difficult for the user to 

some form of an account management system to track access l u he ^stem, especiaUy where each authentication 

authorized users of the system, the type of account each user h * s dlffercnt requirements for allowabU characters, 

..... . , : Jr ., . length of key, age restrictions on keys, and other particular 

has, including what services or resources are avartable to the Meters. The use of multiple authentication tokens may 

user, each user s password, and the detads of each session 2Q ^ difficuh for ^ users who are DOt famili / r 

the user has on the computer system. One of the critical ^ the underl ^ system security policics or aut hentica- 

aspects of account management is the authentication of users t « on ^^^5 

attempting to access the computer system. Another problem with the use of multiple authentication 

Conventional networked computer systems typically pro- services arises when the user attempts to logout and termi- 

vide in an account management system one or more mecha- 2 s nate their session. When a user is authenticated, the user's 

nisms that authenticate the identity of a user attempting to credentials, including the user's authentication token, are 

access the system. The authentication services typically rely typically stored on the system. Storing the credentials is 

on data that is uniquely associated with a user to establish generally part of the security system of the computer, and 

the user's identity. Conventional authentication services allows a system administrator to determine who is currently 

include various password or key-based protocols such as 30 logged into the computer, which resources are being used, 

DES, Kerberos, Diffie-Hellman; biometric systems, such as and other account related information. Currently, there is not 

retina scans, fingerprint scans, and voiceprint analysis; provided a single logout mechanism that locates and 

challenge/response systems that require the user to respond destroys the credentials created by the various authentication 

to a varying coded prompt with an appropriate response services used to authenticate the user. Rather, the user 

algorithmically dependent on the prompt; and hardware 35 currently must manually destroy the credentials by invoking 

devices such as smart-cards encoded with information par- for each authentication service the appropriate function to 

ticular to the user. One factor authentication systems use a remove the credentials created by that authentication ser- 

single authentication service to authenticate the user. Multi- vice. For example, to destroy credentials created by a 

factor systems combine authentication services, such as a Diffie-Hellman authentication service, the user must invoke 

password and a retina scan. 40 Keylogout on a UNIX® system which locates the private 

Most computer systems support various types of system key of the user and removes it. Similarly, on a UNIX® 

entry services, such as UNIX® login, ftp, telnet, passwd, system with a Kerberos authentication service, the user must 

rlogin, and the like. These system entry services are gener- invoke kdestroy. Other authentication services have their 

ally coupled directly to the authentication service, whether own particular key removal or destruction process, 

one factor or multi-factor, to authenticate users during the 45 Manual destruction of credentials presents several prob- 

initial connection and authentication process. The authenti- lems. First, it eliminates the transparency of the authentica- 

cation service is generally accessed through hard coded rules tion services to the user. One of the essential ideas in 

or linkages in the source code of each of the system entry providing a multiple authentication system is that the sepa- 

services. If multiple authentication services are used to rate services are transparent to the user, who needs only to 

increase the security of the computer system, then each 50 initiate their login process for whatever type of connection 

system entry service must be coded or otherwise directly being made. Requiring the user to then directly interact with 

linked with each authentication service. the underlying authentication services by invoking multiple 

One problem with this approach is that it results in a very different commands removes the transparency, and thus the 

specific combination of authentication services, and requires ease of use of the authentication system as a whole. Second, 

source code modification of the system entry services in 55 while the user could modify a UNIX® logout file, or similar 

order to couple them to the authentication services. Second, file on other systems, that contains a number of processes to 

as the strength of existing authentication services declines execute on logout, this requires that the user have a high 

over time, and as new authentication technologies are degree of familiarity with the particular authentication 

developed, a hard-coded approach severely limits system services, and the configuration of system files and scripts, 

administrator's ability to incorporate new authentication 60 This high level of training is not applicable to the broad 

services into the authentication system. Third, in this variety of users of such system. Third, modification of 

approach the system entry services are not truly independent logout files to initiate logouts of all authentication services 

of the authentication services, but rather effectively inte- would result in logging out the user from all current 

grated with them. The system administrator is unable to sessions, even if the user desires only to logout of one 

easily specify the use of particular authentication services 65 session. This is an undesirable side effect that may frustrate 

for a given type of system entry service since all system many users, as they would be required to login again to 

entry services use the same authentication services. The lack re-establish one of the sessions. 
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Accordingly, it is desirable to provide a system and the computer system, even though multiple authentication 

method that separates the system entry services from the services are supported. 

account management system in such a way that any com- The present invention further provides for unified logout 
bination of particular account management services may be m a transparent and easy to use and administer fashion by 
specified for use with particular system entry services, such 5 providing a transparent credential destruction process that 
that the use of the account management services is trans- handles the identification and removal of a user's credentials 
parent to the system entry services, and the user. In during a single logout process. The credential destruction 
particular, it is desirable to provide a system that allows process may be implemented either as an additional service 
specific system entry services to be associated with selected separate from each of the authentication services that create 
authentication services in an easily configurable, flexible 10 the credentials, or it may be incorporated into each authen- 
manner. It is also desirable to provide a system and method tication service as appropriate. The pluggable account man- 
where user is able to employ a single authentication token agement interface determines which authentication service, 
with any number multiple authentication services to obtain or omer service that is selected for providing destruction of 
a unified login. It is finally desirable to provide a system to credentials. The pluggable account management interfaces 
provide unified logout so that the user does not have to is invokes of such service to provide a credential destruction 
manually logout and destroy credentials created during the process. The credential destruction process determines the 
authentication process. user requesting destruction of the credentials, verifies that 

SUMMARY OF THE INVENTION tne user ^ tne aclua ^ 113/01 f° r lDOse credentials, locates the 

, , . credentials as stored by the authentication service, and 

The present invention overcomes the foregoing various ^ removes lhem from the tem , n with the 

hmitationsbyprovidmganapphcationprogrammmginter- , ble account managem ent interface, the credential 

face that mediates between the system entry services and . the destruction process operates without the user having to 

account management services on a computer and a facility manuaU mvoke p^ular services to destroy the creden- 
that stores service associations between each system entry 

service and selected ones of the account management ser- 2 s . , . , • . r 

vices. The application programming interface receives invo- fi ™th .the pluggab e account management mterface, um- 

cations from a given system entry strvice for a given type of fled f d lo S° ut <°S ether P' 0Vlde substantial .mprove- 

functionality, determines which particular account manage- ments "> «"» ease ° f ^ of otherwise complex computer 

ment services are associated with the invoking system entry s y stems - ^ » P""*^ ^ *s 

- „ , „ . „ r Ml ~L ' systems are increasingly used in organizations with many 

service, any restrictions or parameters or such association, 30 J . _ , • • n= • , / 

and then invokes the appropriate account management ser- no ™ e ui * rs for ^ hom " , ,s . not P os f* le ° r t ffic,6nt 10 
vice to provide the requested functionality. In a preferred P rov ' de extensive detailed training on the underlymg corn- 
embodiment the service associations are stored in a con- maDds Md use of ,he computer system s various account 
figuration file, but other types of storage facilities may also management services. Further the use of the service asso- 
be used. The application programming interface is "plug- 35 ?" m „ CODfigurall0n f 0r ° mer SOr f. ge faC H U " y 
gable" because any number of different account manage- substantially mcreases ease of system adm.n^traUon and the 

ment services may be accessed by the application program- flexlb,h, y of ±e com P uter s y s,em - 

ming interface through the service associations. Thus, the BRIEF DESCRIPTION OF THE DRAWINGS 

application programming interface transparently and 

dynamically links a particular requested operation of a 40 FIG. 1 is a block diagram of a computer system including 

particular system entry service with the appropriate account the pluggable account management interface of the present 

management service, or services for providing that opera- invention. 

tion. The application programming interface is here called a pjQ^ 2 is a flowchart of the operation of the pluggable 

pluggable account management interface. account management interface in response to invocations for 

The configuration file or other facility managing the 45 services via the configuration file, 

service associations allows for the establishing associations pIG. 3 is a dataflow diagram illustrating the process of 

between a given system entry service and multiple instances connecting to the computer system with a unified login, 

of a given account management service type, such as A . a , t fi . ... ... 

4 , a *u 11 1 ..M- FIG. 4 is a flowchart of the process of handhng multiple 

authentication, session, and the like. The ability to provide r a- a a 1 • ■ *u u 

, ,.1 ... • 11 j « * 1 • « e. 1 • authentication services for providing unified login through 

such multiple associations is called "stacking. Stacking 50 tU *• *• . 1 • 

r . . . , , tL* - 4 f authentication token mapping, 

account management services is particularly useful with ™ & 

authentication services, providing multiple authentication FIG - 5 te a dataflow diagram illustrating the process of 

services for any given system entry service, without the need disconnecting from the computer system during a unified 

to modify the source code of each system entry service to logout. 

provide such relationships. 55 FIG. 6 is a flowchart of a process of handling multiple 

Stacking of authentication services further supports uni- authentication services for unified logout with multiple 

fied login and logout. Unified login is accomplished through credentials. 

a authentication token mapping process. This process uses a n ™ ATT cn n ™ DIiyrrnM ni7 

user's primary authentication token for a primary authenti- DblAlLbD DbM^KlFllUiN Ob iHfc 

cation service, such as a password, private key, or other 60 INVENTION 

unique data, to encrypt the user's other authentication tokens „ . A ... . _ 

- ^ . « . . . ^ t , System Architecture 

for other secondary authentication services. The encrypted J 

authentication tokens, along with data indicating which Referring now to FIG. 1, there is shown one embodiment 

authentication services they are associated with, are stored in of a computer system providing a pluggable account man- 

an available storage facility, such as a user context, naming 65 agement interface with unified login and logout, and mul- 

service, smart card, or the like. In this manner, the user need tiple authentication services. The system 100 includes a 

only remember or provide a single authentication token to computer 101, having an addressable memory 103, a pro- 
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cessor 115, input 117 and output devices 119, a network Each system entry service 107 further includes a method 

interface 121, and a mass storage device 129. Users may that terminate the user's session on the computer. This 

connect through the network interface 121 to the computer method, here called "disconnect," may be explicitly invoked 

system 100 over a network 139, such a LAN, WAN, or the by the user, for example with the "bye" command during an 

like, from either a remote computer 135, or a terminal 137, 5 ftp session, or implicitly invoked by the operating system 

or other similar device. 133, for example where the user simply turns off his 

The addressable memory 103 further includes a number computer. The disconnect method terminates or completes 

of system entry services 107, a number of authentication an y processes that the user has initiated, and severs the 

services 109, account services 111, password services 113, connection between the user and the computer 101. The 

and session services 115. These services are jointly referred 10 process of disconnecting from the computer via the discon- 

to as account management services. Each such service nect method is further described below with respect to HG. 

provides particular functionality in managing the accounts 5. 

of the users of the system 100, as further described below. . . . _ _ t _ 4 _ 

The addressable memory 103 further includes a pluggable Plu 8S able AccouDl Management Interface 

account management interface 123, and a set of other 35 Intermediating between the system entry services 107 and 

services 131 available to authorized users of the computer the various account management services is a pluggable 

101. The other services 131 include any type of application, account management interface 123. The pluggable account 

files, or data. Storage for user credentials is provided by a management interface 123 allows any system entry service 

credential store 143, or may provided in other storage 107 to be used transparently with any combination of 

facilities, both private, for example, a smart card, or public. 20 account, password, session, or authentication services 109, 

Storage for encrypted authentication tokens is preferably including multiple instances of a given type of account 

provided in a user context 141 or other similar facility. management service. In this manner the pluggable account 

The computer 101 may be realized by most general management interface 123 supports the unified login and 

purposes computers, such as a SPARCstation™ computer logout with multiple authentication services 109. 
manufactured by Sun Microsystems, Inc. of Mountain View, 25 The pluggable account management interface 123 is pref- 

Calif. Any other general purpose computer may also be erably a library of methods that the system entry services 

adapted for use with the invention. Computer 101 executes 107 invoke to obtain desired functionality from the various 

a general purpose operating system 133, such as Sun Micro- account management services. When called, the pluggable 

systems* Solaris® operating system, resident in the addres- ^ account management interface 123 determines selected ones 

sable memory 103. The operating system 133 and various of the account management services associated with a given 

services provided in the addressable memory 103 are system entry service 107, and invokes selected methods of 

executed by the processor 115 in a conventional manner. The these account management services, for example, to authen- 

processor 115 also reads and writes data and code files to and ticate the user, initiate or terminate a session, or to and 

from the mass storage device 129. ^ perform other account management operations. As a specific 

example, where the user is attempting to connect to the 
System Entry Services computer 101 through a login system entry service 107, the 
The computer 101 includes one or more system entry luggable account management interface 123 dynamically 
services 107. The system entry services 115 are invoked by determines which particular authentication service 109, 
the processor 115 and the operating system 133 when a user 40 account f™ c f U1 ' Password services 113, and account 
attempts to access the computer 101. The system entry *e™ces U5, if any, areto specifically used with me login 
services 115 include, for example, UNIX® login, sulogin, svstem entr y } m L and invoke an y metnod of «| J 
dtlogin, rlogind, uucpd, ftp, telnet, and the like. Generally, services 35 requested by the login system entry service 107. 
each system entry service 107 includes as attributes con- SlDce lhe P^ggable account management mterface 123 
nection data describing the operational, network, and con- 45 handlcs the determuiatlon and evocation of the account 
nection parameters used by the system entry service 107 to management services, both the user and system entry service 
connect to the computer 101 via the network 139. 107 raa X ! oterface transparently with any account manage- 
rs , 1tv - 11 • 1 j me nt service, without the system entry service 107 havmg to 
Each system entry service 107 generally includes a c . • * 
tL Jt u . -j .t • . . ur u be hardcoded to specific account-management service for 

method that provides the necessary processing to establish a ... . . .\\ fi .. ... & 

r 1( _ , . 0 . .. Fn providing the desired functionality, 

connection over the network 139, telecommunication lines, 50 r & 

or the like between the user's computer 135 or other device, The particular methods of the pluggable account manage- 

and the computer 101. Such a method may be internal to the ment interface 123 are further discussed following a descrip- 

system entry service 107, or may provide an external inter- 11011 of the configuration file 127. 
face to the user; for the purposes of this disclosure the Configuration File 

method used by each system entry services 107 to connect 55 

a user to the computer 101 is here generally labeled the In the preferred embodiment, the pluggable account man- 
"connect method." It is understood by those of skill in the art agement interface 123 determines the selected account man- 
that the actual method names employed by any of the agement services associated with a given system entry 
services referred to herein may vary in actual practice; the service 107 through the configuration file 127. The configu- 
names are chosen here to be representative of the function- 60 ration file 127 allows multiple different ones of a selected 
ality. The connect method performs useful handshaking and account management service type (account, session, 
error-checking to establish a networked connection for a password, or authentication) to be dynamically associated 
user. The connect method further provides transaction con- with a given system entry service 107. The ability to use 
trol over other set up functions, including authentication, multiple different ones of a given account management 
account validation, and the like. The process of connecting 65 service is called "stacking," and it is particularly useful in 
to the computer 101 via the connect method is further conjunction with the authentication services. The configu- 
described below with respect to FIG. 3. ration file 127 allows multiple authentication services 109 to 
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be stacked for authenticating a user, and further enables may be any other type of account management service that 

unified login to such stacked authentication services 109 is implemented on the computer 101. The module type 

with a single password, and unified logout with a single designation is used at various stages of processing by the 

logout command. pluggable account management interface 123 to determine 

Generally, the configuration file 127 stores a set of service 5 which account management service of a given type is to be 

associations. Each service association relates one system ?™ k ? m 3 ^ queSt by t a SyStem ent ? f™* 

An - ... i _ j / ' 107. Generally, the pluggable account management interface 

entry service 107 with one or more selected account man- ™ , tl f « ^ t j f f <u 

' • ™ , j . . 123 reads the configuration file to identify the service 

agement services. The selected account management ser- . . . . & . . , . . 

. , . c * qp« associations having a certain module type, and then queues 

vices may be of the same type, or from various types. The . a , lt _° - ■ ■ «£ -c • 

3 ... c j . i-i j u .u m the specified pathnames for invoking the specific services 

service associations form a decision table used by the 10 4 f - 4l _ * . . & * 

. , . • m 4 . ' . listed for that module type, 

pluggable account management interf ace 123 to de term me _ /K . 

which account management service is to be used provide u ™ e a ™ 1 management service pathname field specifies 

account management functionality in response to the use of the Nation of the account management service on the 

a particular system entry service 107. com P uter 101 _° r net ™ rk , ™ e P lu ^* bl f acc0UDt maD ' 

, , . , . , ... is agement interface 123 loads the specified service upon 

In the preferred embodiment each service association is demaQd of , he en xrvi<x 10? t£) invoke (he 

a generally a tuple comprising the following information: required Fof any ^ sys , cm entry ^ 107 

<system entry service name, account management service multiple different account management service pathnames, 

type, control flag, account management service path name, am j hence account management services of a given type, 

option parameters> 20 mav be specified. This is stacking of account management 

Table 1 illustrates an example of one set of possible services. In the preferred embodiment, when a system entry 

service associations in a configuration file 127, and the service 107 that is associated with stacked account manage- 

description of the various elements of the service association ment services requests an operation thereof, the pluggable 

tuple will refer to this example: account management interface 123 invokes the account 



TABLE 1 



System Entry Account Account 

Service Management Control Management Service 
Name Service Type Flag Path Name 



Option 
Parameters 



login 
login 
login 
login 
ftp 
ftp 



ftp 



authentication required /usr/lib/PAM/unix_auth.50.1 

authentication required /usr/lib/PAMAinix_RS Aso. 1 

session required /usr/lib/PAM/unix_session.so.l 

account required /iisr/lib/PAM/unix_accounL8o.l 

authentication required /usr/lib/PAM/kerberos_auth.so.l 

authentication required /usr/lib/PAM/rsa_auth.so.l 

session optional /usr/lib/PAMAinix_session.so.l 

account optional /usr/lib/PAM/unix_accounUo.l 

password required /usr/lib/PAM/unix__password.so.l 

authentication optional /usr/lib/PAM/dime_auth.so.l 



use_map 
debug 



usc_ 
default 



The system entry service name field denotes one of the 
system entry services 107 available on the computer system 
100, for example login, telnet, ftp, and the like, for which the 
service association is defined. In addition to individually 45 
specifying a single system entry service 107, a universal, or 
wild card, character, for example "***, may be used to 
indicate all system entry services 107. In the preferred 
embodiment, service associations that specify a particular 
system entry service 107 for a given type of account 50 
management service take precedence over associations that 
specify all system entry services 107 through a wild card. In 
the example of Table 1, the wild card in the last entry 
indicates that for all system entry services 107 other than 
those already specified, authentication is optional, and per- 55 
formed by an authentication service 109 providing Diffie- 
Hellman authentication. The wild card may also be used, in 
the preferred embodiment if all system entry services 107 
have the same association to a given account management 
service. For example, the second to last entry indicates that 60 
all system entry services 107 use the password service 123 
module provided in the UNIX® operating system to change 
the authentication token of the user. 

The module type field indicates the type of account 
management service that is associated with the specified 65 
system entry service 107. The module type is preferrably 
one of authentication, account, session, or password; but it 



management services in the order in which they are stored 
in the configuration file 127. 

The control flag field determines the failure behavior of 
the associated account management service when that ser- 
vice is stacked with other services, and particularly indicates 
whether the service is required, or optional. Upon execution 
each account management service returns a value to the 
pluggable account management interface 123 indicating 
whether the account management service successfully 
executed. If an account management service returns a "fail- 
ure" condition following its execution, the control flag field 
specifies whether the pluggable account management inter- 
face 123 should continue processing with other stacked 
account management services. If a required flag is specified, 
the failure status indicates that no further processing is 
attempted, and the connection attempt, or other processing, 
is aborted. If an optional flag is specified, the pluggable 
account management interface 123 invokes the next stacked, 
or unstacked account management service. 

The control flag is usefully employed with multiple 
authentication services 109. In the example of Table 1, the 
user attempting to connect to the computer 101 via the login 
system entry service 107 must be authenticated by both the 
UNIX® system and by the RSA system. If either one fails, 
the user is denied access. If both are successful, the user is 
then optionally authenticated with a DifEe-Hellman authen- 



50 



55 
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lication service 109, as determined by the last entry with the returns a value indicating whether the execution, here 

wild card. This authentication process is optional, and the authentication, was successful. 

user will still be allowed to connect to the computer 101 if The pluggable account management interface 123 deter- 

il fails. mines 215 from the return value whether the service suc- 

The option parameters is used by the pluggable account 5 cessfully executed. If so, the pluggable account management 

management interface to pass service specific options to interface 123 invokes 213 the next account management 

each account management service. It is the responsiblity of service, if any. If the service did not execute successfully, the 

the account management services themselves to interpret the p i ug g a ble account management interface 123 determines 

option parameters. The debug parameter in the third service 217 from the conlrol flag whelher the service is req uired. If 

association, for example, turns on debugging in the specific 10 the service is required, the pluggable account management 

service. The use_map and use_default parameters are used interface 123 generally exits 219, or it may provide addi- 

with authentication token mapping and unified login, tional operations, depending on optional parameters passed 

described below. t0 tne p i U gg arj i e account management interface 123 by the 

Referring now to FIG. 2, there is a shown a flowchart of system entry service 107. 

the operation of the pluggable account management inter- 15 ^ abilily t0 sUck acC ount management services is 

face 123 in handling the stacking of account management parti cularly useful when designating multiple authentication 

services. This logic is employed by as part of the main services 109. For example, in Table 1, the login system entry 

processing of the pluggable account management interface ia? ^ associated with two authentication services, 

123 prior to performing a specific method providing par- lhe msrrx® authentication service 109 provided by the 

ticular functionality to a system entry service 107. The ^ UN1X(g) op e ra ting system, and an RSA authentication ser- 

pluggable account management interface 123 is mvoked by vice 109 Each of lhese authentication services 109 is 

system entry service 107, either m the course of connecting invoked 213 by the pluggable account management interface 

to the computer 101, or subsequently. The pluggable account 123 t0 authenticate a user employing the login system entry 

management interface 123 determines 201 the type of sys- service 107. If the UNIX authentication failed, the pluggable 

tem entry service 107 that is invoking it, and the module type 25 accouQt ma nagement interface 123 determines 217 that such 

of the account management service that the system entry authentication service 109 is required per the configuration 

service 107 is requesting. For example, the pluggable file 127. It then exits 219, and indicates to the system entry 

account management interface 123 determines that it is 107 lhat authentication failed, and hence the user is 

being invoked by the login system entry service 107, and not aut horized to access the computer. The system entry 

that login is requesting an authentication service 109. 30 107 may then inform the user of the failed au then- 

The pluggable account management interface 123 then tication. If the UNIX authentication was successful, then the 

reads 203 a service association entry in the configuration file rsA authentication is invoked 213, and again tested for 

127. The pluggable account management interface 123 successful execution. Accordingly, the user is allowed to 

compares 205 the system entry service name in the service access the computer 101 only if authenticated by both of the 

association to that of the invoking system entry service 107, 35 services, 
and compares the module type specified in the service 

association to the requested module type. If there is a match, Authentication Token Mapping 

the pluggable account management interface 123 stores 207 In the preferred embodiment the stacking of multiple 

the service pathname of the service association to a queue, authentication services 109 is used in conjunction with an 

along with the control flag included in the entry. The 40 authentication token mapping technique to provide unified 

pluggable account management interface 123 considers a login. Authentication token mapping allows each stacked 

universal, or wild card, character a match. The pluggable authentication service 109 to have a unique authentication 

account management interface 123 tests 209 whether the token for the user, while requiring the user to remember or 

entire configuration file 127 has been read. If not, the provide only a single authentication token when attempting 

pluggable account management interface 123 continues this 45 to connect to the computer 101. The authentication token 

processing until the entire configuration file 127 has been mapping process employs one authentication token of the 

read. Using the example of Table 1 above, if the user was user, the primary authentication token, to encrypt the user's 

attempting to connect to the computer 101 with the login other, secondary authentication tokens. The secondary 

system entry service 107, and requesting a user authentication tokens are encrypted using any available 

authentication, then the pluggable account management 50 encryption technique, which may be opaque between 

interface 123 reads and queue the first two entries of the authentication services. The encrypted, or mapped authen- 

configuration file 127, /usr/lib/PAM/unix_auth.so.l, and tication tokens are stored in some storage facility on the 

/usr/lib/PAM/unix_RSA.so.l, along with the required con- computer 101, such as a user context 141, naming service, 

trol flags, since the system entry service name in the user file, memory location, or the like. Alternatively, the 

configuration file 127 matches login, and the module type 55 encrypted authentication tokens may be stored in a smart 

matches authentication. card, or other non-public storage facility. The secondary 

The pluggable account management interface 123 loops authentication tokens are mapped because in whatever facil- 

211 over the queued pathnames for the account management ity they are stored in encrypted form, the encrypted form is 

services of the selected type. The pluggable account man- identified as being associated with a particular authentica- 

agement interface 123 invokes 213 a specific method of a 60 tion service 109. In other words, the storage facility need 

queued account management service, as determined from only store the encrypted authentication token and data 

tie input parameters, which define the type of operation the indicating to which authentication service 109 it belongs, 

system entry service 107 is requesting. Continuing the above The storage facility need not, and preferably should not, 

example, the pluggable account management interface 123 itself have the ability to decrypt the encrypted authentication 

invokes an authenticate method on first the UNIX® authen- 65 tokens. 

tication service 109, and then on the RSA authentication In other embodiments of the system 100, unified login is 

service 109. The account management service executes, and provided through using a same, single authentication token 
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for all of the stacked, or selected authentication services. In pluggable account management interface 123 then invokes 

order to support either approach in a single system 100, there (213) corresponding methods on the particular account 

is provided for the option parameter of the configuration file management services specified in the configuration file 127. 

127 two parameter values: use_default causes the specified The pluggable account management interface 123 pref- 

authentication service 109 to use the primary authentication 5 erably provides five general categories of methods that 

token, thereby resulting in a single token approach; use_ interface with the various account management services 

map causes the authentication service 109 to obtain the through the configuration file 127. A first category provides 

encrypted secondary authentication token particular to it, methods that initiate, maintain, and terminate an service 

and decrypt the secondary authentication with the primary transaction for a user through the use of a user handle. A 

authentication token. 10 second category contains methods that interface with the 

Because the pluggable account management interface 123 authentication services 109 to authenticate a user, get and set 

reads the configuration file 127 to determine which account a user's credentials, and destroy a user's credentials upon 

management service, and more particularly, which authen- termination of a session. A third category contains methods 

tication service 109, to employ with a given system entry that interface with the session services to initiate the opening 

service 107, the association of one or more account man- 15 and closing of sessions. A fourth category contains a method 

agement services with a given system entry service 107 may that interfaces with the password services to change the 

be flexibly configured without having to hardcode the asso- authentication token. A fifth category contains functions that 

ciation into the source code of the system entry services 107. interface with the account services to get and set attributes 

The systems administrator may easily add new entries to the of the authentication token, 

configuration file 127, to provide new services associations. 20 

Likewise, the system administrator may change existing Service Transactions 
service associations, for example, to upgrade an existing ^ fi(st of mterfaces rf ^ , We account 
authenucauonsemee 109 with a prevision, or o change m emeDt interface 123 prov i de for the initiation, 
from one authenticaaon service 109 to another entirely. All mainte and temiination of a xM(x transaction. A 
th.s may be done wthout dtsrupting the users ability to 25 {& deflned b ^ ^ of ti or 
access the system 100, and without the need to perform behaviofS ^ a ^ of 10? mvokes , 0 
p^mmmg ta y macMg te ease of maintenance ^ a desire(J fesul sucfa as authentjcatin a dat . 
and the flexibility of the system 10(1 Further because Ihe ^ ^ ^ aoco chaD ^ aQ autheDtication token> 
pluggable account management mterface 123 dynamically an(J ^ ^ A tfansaction ma ^ onl a si le 
determines the correct account management service for a 30 & mana ^ of mu] . 
given invocation by a system entry service 107, the plug- tj ^ same of m J M account ement 
gable account management interface 123 and configuration ^ ^ ^ u eBll ; 
file 127 allow the account management services to be service specific information through the plug- 
accessed transparently to the user. gable accouflt management interface 123 to the under i y i ng 
The combination of authentication token mapping and account management services, thereby eliminating the need 
stacking of authentication services 109 via the configuration t0 h ar( j code into each system entry service the interfaces of 
file 127 provides a powerful, and flexible authentication t he account management services, 
system However authentication token mapping may be A tnosiction is initiated b a ^ , ransac tion 
used independently of the configuration file 127 and service meth(xJ wbjch creates a usef handle Tfae ^ transaction 
associations therein such as with more conventional hard- method ^ u ^ ^ name of ^ cm 
coded relationships between system entry services 107 and m ^ ^ r>s aQ(J a yatMt fof hM . ^ 
authentication services 109. A process of authentication usef handle „ successful completion, the user handle 
token mapping is more fully described with respect to FIG. stQres ^ infor mation, so that it may be subse- 
4, below in the context of the process of connecung to the tQ cific methods of ^ account ffl 

^P" 16 ' 101 ment services. 

Finally, the configuration file 127 is only one means of ^ the invention aUows any system entry service 

establishing the service associations between the system m tQ be ^ a individua i or number of 

entry service 107 and the account management services. In yarious accoum management ^cts, it is understood that 

other embodiments, other storage faculties ,sucb as ,a nam- 5Q each service 107 provides it own specific 

,ng service operating in conjunction with the XFN API mu&Qes tQ di j ^fo^on to the user, and to obtain user 

specified in "Federated Naming: The XFN Specifications , ^ since , be i(m of the underlying account man- 

%2£ a .£2T2!!$L nf ^ eC c fi t a ^ 0n, % 0 ?!! ? < ? CU ,^ t »gement services is preferably transparent to the user, it is 

#P403, ISBN: -85912-045-8, X/Open Co. Ltd., July 1994, tha , , ^ system y entry ^ 107 manage (be 

may be used, for example. 5J ^^^0,, with , he user. Accordingly, in the preferred 

Methods of the Pluggable Account Management embodiment, the start transaction method obtains from a 

Interface system entry service 107 the address of a set of functions of 

v w " that system entry service 107 that may be invoked by any of 

Having described the interaction between the pluggable the account management services to display information and 

account management interface 123 and configuration file 60 obtain input from the user. These functions are collectively 

127 to provide transparent access to the account manage- referred to as conversation functions, since they manage a 

ment services, and stacking of services, the specifics of the dialogue with the user. A given account management service 

pluggable account management interface 123 methods are may invoke the conversation functions through their address 

now be described. These are the methods that are invoked on when necessary to interact with the user. Thus, the address 

the pluggable account management interface 123 by the 65 of the conversation functions is also passed in and stored in 

system entry services 107 to obtain specific functionality the user handle. Finally, in some embodiments, such as a 

from the underlying account management services. The UNIX® environment, there is also passed into the start 
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transaction method, and stored in the user handle the tty or ing such a user of the cause of the authentication failure, 

port name, and remote host name, where the user is con- such as non-valid user name, or incorrect authentication 

necting from a remote computer system. token. 

The preferred embodiment further provides methods that The authenticate user method preferably provides a return 

get and set specific items in the user handle. The set item 5 value indicating the status of the authentication. The return 

method is preferably passed a pointer to an item, such as value indicates at least whether the authentication was 

user_name, and an item type flag. The method copies the successful or not, and may further indicate for unsuccessful 

item to the portion of the user handle specified by the item attempts whether a predetermined maximum number of 

type flag. Similarly, the get item method is passed a pointer, authentication attempts was exceeded, whether no valid 

and item type flag. This method assigns to Ihe pointer the 10 (un-expired) account is present on the system for the user, or 

address of the object having the specified item type. whether the authentication token has expired. 

Finally, there is provided an end transaction method in the The pluggable account management interface 123 further 

pluggable account management interface 123. This method includes in this first category a method that creates or sets 

is invoked by the pluggable account management interface the user's credentials. In the UNIX® environment, this 

123 to terminate a service transaction employing a given 15 method employs the underlying setuid and setgid functions 

user handle, and to free any storage allocated by a account of the operating system. In a Kerberos based environment, 

management service to manage the user handle. after authentication, the credential is a ticket for accessing a 

For the functionality provided by the methods in the ticket granting service. The ticket includes the user id and 
second through fifth categories, those that interface with the 1Q S rou P id information in encrypted form. The set credentials 
account management services directly, the pluggable method allows the user to initialize and define a supplemen- 
account management interface 123 preferrably first per- tary group access list, to set real or effective group id, and 
forms the main processing described above with respect to t0 set rcal or effective user id. A complementary get method 
FIG. 2. The particular processing of each of the methods is retrieves these various values. The credentials are stored in 
then employed where the pluggable account management a user context 141 or other facility. For other types of 
interface 123 invokes 213 the particular method of the authentication services 109 the credentials are created con- 
account management services of the proper module type, sisteQt with the authentication framework of the authentica- 
and associated with the current system entry service 107. ^ on service 109. 

Accordingly, in the descriptions of the second through fifth The pluggable account management interface 123 also 

categories that follow, it assumed that the pluggable account 3Q includes in this category a destroy credentials method. This 

management interface 123 has determined which account method is invoked by the pluggable account management 

management service, and pathname is being invoked by the interface 123 when the user terminates a session or logs out 

system entry service 107. of the system 100. The destroy credentials method invokes 

on the selected authentication services 109 used to authen- 

Authentication Interfaces ^ ticate me ^ meir underlying destroy credentials methods. 

In the second category, the pluggable account manage- 

ment interface 123 provides methods to manage authenti- Session Interfaces 

cation of the user. First, there is provided an authenticate In the third category, the pluggable account management 

user method. This method manages the authentication of a interface 123 includes a open session method, and a close 

user with any number of authentication services, as deter- 40 session method. The open session method generally initiates 

mined by the service associations in the configuration file an open method of the session service associated 

127. with a given system entry service 107. The open session 

The authenticate user method is passed the user handle, method controls the behavior of the underlying open session 

and preferrably, an authentication token. Where the user is method by specifying how the user record file is to be 

connecting through remote computer, the authenticate user 45 handled for either updating an existing entry if available, 

method tests the name or address of the remote computer otherwise exiting, or creating a new entry for the session, 

against a list of trusted remote computers. Where the remote A dose current sim ii a rly updates the user record, 

computer is trusted, the user has already been authenticated, either U p da tin g an existing record, or deleting it. 
and no further local authentication is needed. If not the 

remote computer is not a trusted source, the user's handle 50 Password Interfaces 
and authentication token is then passed to the selected 

authentication services. In this fourtb category, the pluggable account manage- 

The authenticate user method may additionally taken a men < f e jf acc 12 ? P rovide * chaD 6 e authentication token 

number of input parameters specifying the processing of the memod ' ™* method preferably passes a current autbenti- 

authentication token. A validate authentication token flag 55 c *\™ ' oken > ^ handle ' ™ d conversation taction to a 

causes the authenticate user method to determine if the selecled Password service 113 associated with the current 

user's authentication token has expired in those systems that svstem f ™?f 107 > 35 determined from the configu- 

age the authentication token. This is done by preferably raUon file 127. The password service 113, as further 

invoking the get authentication attributes method of the described below, manages the actual authentication and 

applicable account service, and comparing the specified 60 ^placement of the authentication token, 

information with current date, time, or other system data. A Account Interfaces 

continue authentication flag when set causes the authenti- ^ ^ ' " ' c ^ 

cation procedure to continue even if the authenticate user In this fifth category of interfaces there is provided 

method of an authentication service 109 detected an error methods that determine and update various account valida- 

that would otherwise cause the authentication to fail. This 65 tion attributes of a user account. Account validation 

flag provides a useful security feature that hides the authen- attributes include account and authentication token aging 

tication behavior from an unauthorized user by not inform- data, including minimum and maximum number of valid 
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days for the account and authentication token, valid session service 109. For example, the authenticate method may 
hours, authentication token modality of the authentication request and verify a user's password, request a response to 
token, that is, whether an authentication token is required for a challenged prompt, decrypt an input key, read, through the 
the user to access the system, directory or service access appropriate hardware devices, biometric data (such as retina 
restrictions, and the like. The validate account method is 5 scan or voiceprint) of the user and verify such data, 
passed the user handle and obtains access to the user account The authenticate method takes as an input parameter a 
validation attributes data therefrom. The validate account handle and the authentication token. The authentication 
method then determines whether the account has expired, token may be provided by the user, or it may be passed to 
whether the user's authentication token has expired, whether t he authenticate method by the pluggable account manage- 
the current session is during valid session hours for the user, 10 men t interface 123 after being obtained from a user context 
whether the user's requires authentication, and so forth. The 141 where there are multiple authentication services 109 
validate account method passes back a return value indicat- being used to authenticate a user. This process provides for 
ing whether the user's acccount is valid with respect to the a unified login wherein the user provides a primary authen- 
tracked parameters. tication token to the pluggable account management inter- 
There is also provided in this category methods to get and 15 face 123, and the pluggable account management interface 
set specific account validation attributes for the account. The 123 handles the access and forwarding of the encrypted 
user, or system administrator as appropriate, may set or get secondary authentication tokens to their respective authen- 
the account or authentication token expiration and aging tication services 109. 

information, the access hours, the modality of the authenti- jh t create credentials method creates and stores user's 

cation token, and the like. These methods invoke underlying 20 cre d en tials. Credentials are typically user and session spe- 

similar methods of an account service 111 that perform the c ific values that establish the user's identity. The create 

actual getting and setting of the account validation credentials method preferably takes as an input the user's 

attributes. handle, and data used to create the credentials, such as the 

. user's id, the group id, or the like. The credentials may be 

Account Management Services 25 stQred in any appropriate facility or reS ource, such as the 

The account management services include the set of addressable memory 103, a system user's file, or the like, 

services associated with establishing and maintaining a user depending on the type of authentication service 109 being 

account on the computer 101. These services include the used. Depending on the authentication service, the create 

authentication, session, password, and account services. In credentials method may be part of the authenticate method 

the preferred embodiment, each account management ser- 3 (as in UNIX where setuid and setgid opertions are per- 

vices includes methods that provide functionality supporting formed in conjunction with authentication), or separate, as in 

each of the methods of the pluggable account management a Kerberos authentication service, where tickets are granted 

interface 123. For example, each authentication services 109 separately from user authentication, 

includes methods that provide to the pluggable account 35 Each authentication service 109 further includes a destroy 

management interface 123 the authentication of a user, and credentials method. This method locates the credentials of a 

creation and destruction of credentials. In the preferred selected user and remove, or destroy them, from whatever 

embodiment, the names and interfaces of these are essen- facility or resource is storing them, 
dally the same as the interfaces to the methods of the 

pluggable account management interface 123. For example, ^ Password Services 
there is an authenticate method of the pluggable account sysicm 100 further includes at least one password 
management interface 123, and an authenticate method of service 113. Each password service 113 manages the authen- 
each authentication service, for which the function proto- tication tokens of authorized users of the system 100. Here, 
types are the same, and the names vary only by a prefix me passwor d services 113 provide the actual functionality 
indicating whether the interface is for the pluggable account 45 speciflc to me authentication environment for changing the 
management interface 123 or for an authentication service authentication token of the user. Thus, each password ser- 
109. This simplifies the organization of the pluggable vice U3 prov ides a change authentication method that 
account management interface 123, and the understandabil- complies with the interface of the pluggable account inan- 
ity of the interfaces. Accordingly, in the description that agement interface 123, to accept a user handle, authentica- 
follows, the method names are referred to by the same 5Q Uo n token, and conversation function. The password service 
designation. X13 XJSCS tne conversation function to obtain a new authen- 
Authentication Services tication token from the user, and update it accordingly. 

The computer 101 includes one or more authentication Session Services 

services 109. The authentication services 109 provide dif- 55 The system 100 further includes at least one session 

ferent types of authentication schemes for establishing and service 115. Each session service 115 manages the particular 

verifying an identity of a user 105 attempting to access the instances of an authorized user connecting to and using the 

computer 101. The authentication services 109 may include system 100. In the preferred embodiment, each session 

password or encrypted key based mechanisms such as service 115 provides an open session method and a close 

DifEe-Hellman, DES, Kerberos, RSA, and the like; biomet- 60 session method. The open session method initiates a session 

ric mechanisms; hardware/firmware based mechanisms, for the user on the computer system 100, recording when 

such as smart-card, and the like, or challenge/response and where the user logged in. This data is preferably stored 

systems, such as securlD, or Enigma. m a user record file, such as wtmp, utmp in UNIX®, that 

Each authentication service 109 includes an authenticate other services may query to determine which users are 

method, a create credentials method, and a destroy creden- 65 present. The close session terminates the user's session, and 

tials method. The authenticate method performs the particu- updates the system 100 to indicate when the user logged out, 

lar type of authentication associated with the authentication and clears the entries in the user records. 
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The system 100 further includes at least one account 
service 111. Each account service 111 includes methods that 
set and get account validation attributes, including authen- 
tication token aging information, such as when the authen- 
tication token expires, the maximum and minimum number 
of valid days, and the like; access hours restrictions for the 
user's account; account expiration date; and account service 
restrictions, such as what directories, file, resource, or ser- 
vices the user is authorized to access. Each account service 
HI maintains these account validation attributes for each 
user's account, and provides methods to get and set this data 
on a per user basis. 

System Operation 

Referring now to FIG. 3, there is shown a data flow 
diagram of the operation of the pluggable account manage- 
ment interface 123 in conjunction with the system entry 
services 107, account management services, and configura- 
tion file 127 during connection of a user to the system 100. 
The user initiates 301 a session on the computer 101 by 
invoking a selected system entry service 107, such login, ftp, 
or the like. The system entry service 107 invokes its under- 
lying connect method, passing the necessary connection 
information, handshakes, to the computer 101 to establish a 
physical connection between the user's terminal or computer 
and the computer 101. The system entry service 107 then 
invokes 303 the start transaction method of the pluggable 
account management interface 123, passing in the user's 
name, computer name, and the like, as described above. The 
pluggable account management interface 123 creates a 
handle for the user from this information. 

The system entry service 107 invokes 305 the authenticate 
user method of the pluggable account management interface 
123, passing in the user's handle. The pluggable account 
management interface 123 performs the general processing 
as described above with respect to FIG. 2 to determine 
which authentication services 109 are associated with the 
current system entry service 107, and to queue the path- 
names of these services. The multiple authentication ser- 
vices 109 are illustrated in the figure. This process is used in 
support of the unified login, since the selected authentication 
services 109 have been determined transparently to the user. 
The authenticate user method in turn invokes 307 the 
authenticate method of each authentication service 109 that 
is identified in the configuration file 127. In the preferred 
embodiment, the pluggable account management interface 
123 passes in the user handle, an authentication token, and 
the conversation function address for the system entry 50 was successful. 
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handle, an authentication token, if any, control flags, as 
specified, and a variable holding a global token, if any. The 
global token is used to pass a primary authentication token 
between the selected authentication services 109, 
particularly, between a primary authentication service 109, 
the first authentication service 109 listed in the configuration 
file 127 or similar database, and the secondary authentica- 
tion services 109. The authentication service 109 then deter- 
mines 403 whether the option parameter is set to use_map 
indicating the authentication token mapping is being used all 
authentication services 109. 

If so, the authentication service 109 determines 405 
whether the global token is available, that is non-null. The 
global token is unavailable if the user did not pass in an 
authentication token when connecting. If the global authen- 
tication token is not available, then there is an error because 
there is no authentication token with which to perform the 
authentication token mapping. Accordingly, the authentica- 
tion service 109 exits 419, and returns an error. 

If however, global token is available, it means that the 
current authentication service 109 is a secondary authenti- 
cation service being called to authenticate the user. This 
secondary authentication service 109 obtains 408 an 
encrypted secondary authentication token associated with 
the service 109. This may be done by requesting the plug- 
gable account management interface 123 to obtain the 
encrypted secondary authentication token. The pluggable 
account management interface 123 obtains the appropriate 
secondary authentication token for the requesting secondary 
authentication service 109 from either the user context 141 
(or alternatively, a naming service, directory, smart card or 
any other storage facility), and passes it back to the second- 
ary authentication service 109, which then decrypts it. 

The authentication service 109 verifies 407 the token, 
whether it is a global token, primary authentication token, or 
secondary authentication token, depending on whether the 
authentication service 109 is the primary authentication 
service, and whether authentication token mapping is being 
used. 

The authentication service 109 tests 409 whether the 
verification was successful. If the verification was successful 
and the user authenticated, the authentication service 109 
further determines 411 whether the global token is empty. 
For a first, or primary authentication service 109 authenti- 
cating the user, the global token will be empty. Accordingly, 
the authentication service 109 stores 413 the primary 
authentication token to the global token, and exits 419, 
returning a return value indicating that the authentication 



service 107. The authenticate method of each selected 
authentication service 109 authenticates the user, either 
through direct prompting 309 via the conversation functions 
and analysis of the user's response, or through analysis of 
the authentication token passed into the authenticate 
method. If requested, the user provides 311 an authentication 
token, such as a password, biometric data, smart card, or the 
like. In either case, the authenticate method then authenti- 
cates the user's authentication token. 

Unified login for the multiple authentication services 109 
is provided by authentication token mapping. Referring now 
to FIG. 4, there is shown a flowchart of one embodiment of 
handling the authentication token mapping in each of the 
authentication services 109. An authentication service 109 is 
invoked 401 by the pluggable account management interface 
123 through its authenticate method, with the pluggable 
account management interface 123 passing in the user 
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If the authentication failed, the authentication service 109 
exits 419, and returns a value indicating failure. The plug- 
gable account management interface 123 may then proceed 
as programmed, as shown in FIG. 2, above. This process 
may be repeated for each selected authentication service 109 
that is stacked in the configuration file 127. 

If the authentication service 109 determines 403 that the 
flag is set to use_default, then this means that authentication 
token mapping is not being used for that particular authen- 
tication service 109, but the authentication service 109 is to 
use the global or primary authentication token. The authen- 
tication service 109 determines 415 whether the global token 
is available. Again, the global token will be available if 
passed-in by the user. If the global token is avaiable, then it 
is used to verify 407 the user, the authentication service 109 
proceeding as described above. At step 411 the global token 
is available, so the step of storing 413 is bypassed. 
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If however, the global token is not available for use as a terminal the user is working on. In either case, the system 

default authentication token, the authentication service 109 entry service 107 initiates a disconnect process, and handles 

initiates 421 a conversation with the system entry service the necessary physical disconnection and protocols for dis- 

107, via the conversation function address, in order to obtain connecting from the system 100. As a part of the disconnect 

a primary authentication token from the user. The user 5 process the system entry service 107 invokes 503 the destroy 

passes in the primary authentication token (as described credentials method of the pluggable account management 

above). Again, the authentication service 109 verifies 407 interface 123, passing in the user handle, 

the user, now using the primary authentication token, and The pluggable account management interface 123 deter- 

stores 413 this primary authentication token to the global mines 505 from me configuration file 127 the selected 

token. For any subsequent secondary authentication service 10 authentication services 109, and invokes 507 on each of 

109 that is invoked, and for which the use_map flag is set, mem a destroy credentials method, passing in the user 

such secondary authentication service 109 uses the global handle. Each of these authentication services 109 perform 

token to decrypt 408 a particular secondary authentication meu - appropriate destroy credentials methods, locating and 

tC) ken. removing 509 the user's credentials and authentication 

If the authentication process is successful by the selected 15 tokens from whatever credential storage 143 or other facility 

authentication services 109, the system entry service 107 is in which they may be stored. The user's access to the other 

granted access to the computer 101. Otherwise, the plug- services 123 on the system 100 is terminated 513. In an 

gable account management interface 123 continues alternate embodiment, a separate account management ser- 

processing, or exits depending on whether the authentication vice may be provided in addressable memory 103 for each 

was required, or optional, as described above. 20 authentication service 109 that provides the destroy creden- 

Where access is granted, the user's credentials are ere- ua l s method, and is thereby invoked by the pluggable 
ated. This may be done through a direct invocation 313 by account management interface 123 in response to the system 
the pluggable account management interface 123 on its set entry service's 109 request to destroy credentials. In either 
credentials method, or it may be done implicitly by the case , the configuration file 127 is used to stack the appro- 
authentication service 109 when the user is authenticated. 25 P riate service and pathname in association with the system 
The created credentials are stored in the credential store 143, entry service 107. This allows the pluggable account man- 
or other storage facility. The system entry service 107 agement interface 123 to transparently provide the unified 
invokes 315 an open session method of the pluggable logout process. As a result, the user can logout of the system 
account management interface 123 in order to initiate a new as easily and simply as she logged in, without any need to 
session for the user. Again, the pluggable account manage- 30 directly interact with the underlying authentication services 
ment interface 123 determines from the configuration file 109. 

127 the appropriate session service for the current system Referring again to FIG. 5, each selected authentication 

entry service, and invokes 317 its open session method. The service 109 accesses the user's credentials and authentica- 

open session method updates the user record as described, tion tokens in whatever facility they are stored, and removes 

and performs other useful session management functions. 35 509 them. This prevents unauthorized users from obtaining 

The system entry service 107 may then validate 319 the the credentials. Since the pluggable account management 

user's account through the validate account method of the interface 123 handles the invocation cycle on each of the 

pluggable account management interface 123, passing in the selected authentication services, the user does not have to 

user handle. Here too, the pluggable account management manually invoke the destroy credentials method on each, 

interface 123 determines the selected account service from thereby providing significant ease of use to the user, and a 

the configuration file 127, and invokes 321 validate account transparent, yet secure logout process. An end transaction 

method of such service to determine whether the user's method may be used to deallocate any storage that the 

account has expired, whether a new password is needed, and pluggable account management interface 123 allocated to 

the like. any of the selected account management services, making 

If the user's password has expired, then the pluggable 45 such stora g e available to other processes on the system 100. 

account management interface 123 determines the selected Referring now to FIG. 6, there is shown a flowchart for 

password service for the current system entry service 107, logic of the destroy credentials method of an authentication 

and invokes 323 the change authentication token of such service 109. This method is preferably provided as a part of 

password service. The password service 113 in turn requests 50 each authentication service 109, and is performed by the 

the user to provide the current and a new authentication service when invoked either by the system entry service 107 

token, using the conversation functions of the system entry during logout, or by the user directly, 

service 107. The authentication service 109 determines 601 the user 

Finally, after the user has been authenticated, a session for whom the destroy credentials is being called. The user is 

opened, and the user's account validated, the user is granted 55 preferably determined from the user handle, passed in by the 

325 access to the other services available on the computer calling function, or in some cases, the authentication service 

system 100. 109 may initiate a conversation via the calling service's 

Referring now to FIG. 5, there is shown a dataflow conversation function to obtain directly the user name, and 

diagram of the process of disconnecting from the computer related information. 

101, and providing unified logout. The unified logout pro- 60 The authentication service 109 then verifies 603 the user 

cess ensures that the user's authentication token and ere- to prevent another, unauthorized user from invoking the 

dentials are removed from any publicly accessible resource, destroy credentials function and destroying the keys of 

and thus cannot be fraudulently obtained or used after the legitimate user. Verification may be done either as a 

user has terminated a session. Referring to the figure, the re-authentication, using a passed in authentication token, or 

user logouts 501 of the system entry service 107, either 65 a challenge/response conversation via the conversation 

explicitly by invoking a specific method of the system entry function address, and the authenticate user method, 

service 107, or implicitly by shutting off the workstation or Alternatively, the authentication service 109 may obtain the 
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user id of the user for whom the credentials are being 
destroyed from the user handle, and compare this with the 
user id of the user calling the function, obtaining this latter 
user id from the operating system 133. 

The authentication service 109 determines 605 whether 
the user was verified. If not, a unauthorized user is attempt- 
ing to logout a legitimate user, and so the authentication 
service 109 exits 611. If the verification was successful, the 
authentication service 109 locates 607 the user's credentials 
and authentication tokens. The authentication service 109 
either itself maintains information on where the credentials 
of each user are stored, or it employs the operating system 
133 to obtain the credentials. As stated above, the credentials 
and authentication tokens may be stored in a user context 
141, a naming service, directory, a file, daemon, smart card, 
or even in memory, according to the machine specific 
implementation of the authentication service 109. 

The authentication service 109 destroys 609 the user's 
credentials and authentication tokens, if any, that are stored 
for the current session. Destroying the credentials may 
involve invoking a daemon, for example, to remove the 
credentials from their storage facility. The authentication 
service 109 then exits 611, returning to the pluggable 
account management interface 123. The pluggable account 
management interface 123 then invokes each remaining 
selected authentication service 109 (or specific account 
management service for destroying credentials) to complete 
the unified logout. 

We claim: 

1. A computer system providing multiple account man- 
agement services to a user connecting to the computer 
system with a first system entry service, comprising: 

at least one system entry service, each system entry 
service providing a method to connect a user to the 
computer system during a session; 

at least one account management service comprising a 
plurality of operations for managing user specific 
account data for users of the computer system; 

a storage facility having a plurality of services 
associations, each service association identifying a 
system entry service and at least one account manage- 
ment service; and, 

an application programming interface mediating between 
the system entry services and the account management 
services, the application programming interface pro- 
viding a plurality of API methods, each API method 
invoking at least one operation of at least one selected 
account management service in response to an invoca- 
tion of the application programming interface to pro- 
vide the operation, the application programming inter- 
face determining from the storage facility the at least 
one selected account management service associated 
with a selected system entry service used to connect the 
user to the computer system. 

2. The computer system of claim 1, wherein in each 
service association the account management service is iden- 
tified by an account management type and by a pathname 
specifying a storage location of the account management 
service. 

3. The computer system of claim 2, each service associa- 
tion further comprising a control flag specifying whether the 
API method invoking the account management service 
identified in the service association continues executing 
following a failure of an invoked operation of the account 
management service. 
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4. The computer system of claim 1, further comprising: 
a plurality of authentication services included in the 

account management services, each authentication 
associated with at least one system entry service in a 
service association in the storage facility, and providing 
a first method that authenticates a user from data 
identifying the user and an authentication token; and 
the application programming interface having at least one 
method that identifies at least one selected authentica- 
tion service associated with the selected system entry 
service, and invokes the first method of each selected 
authentication service. 

5. The computer system of claim 4, wherein: 
each authentication service further comprises: 

a second method that creates credentials for an authen- 
ticated user, and stores the credentials; 
a third method that destroys the credentials; 
the application programming interface having at least one 
method that determines at least one selected authenti- 
cation service associated with the selected system entry 
service, and invokes the third method of each selected 
authentication service in response to a user terminating 
operation of the selected system entry service. 

6. The computer system of claim 4, where the user is 
connecting to the computer system from a remote computer, 
the application programming interface determines whether 
the remote computer is a trusted computer known to have 
previously authenticated the user, and only in response to the 
remote computer not being a trusted computer invokes the 
first method of each selected authentication service to 
authenticate the user. 

7. The computer system of claim 1, further comprising: 
at least one session service included in the account 

management services, each session associated with at 
least one system entry service in a service association 
in the storage facility, and providing a first session 
method that opens a session for a user of the computer 
system; and, 

the application programming interface having at least one 
method that identifies at least one selected session 
services associated with the selected system entry 
service, and invokes the first session method of each 
selected session service. 

8. The computer system of claim 7, wherein: 

each session service further comprises a second session 
method that closes a session of the user on the computer 
system; and 

the application programming interface having at least one 
method that identifies at least one selected session 
service associated with the selected system entry 
service, and invokes the second session method of each 
selected session service in response to a user terminat- 
ing operation of the selected system entry service. 

9. The computer system of claim 1, further comprising: 
at least one account service included in the account 

management services, each account service associated 
with at least one system entry service in a service 
association in the storage facility, and maintaining 
account validation attributes for an account of a user; 
and, 

the application programming interface having at least one 
method that identifies a selected account service asso- 
ciated with the selected system entry service, and 
determines from the selected account service whether 
the user's account is valid from the account validation 
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attributes in response to the user connecting to the 
computer system with the selected system entry ser- 
vice. 

10. The computer system of claim 9, wherein: 

each account service further comprises a first account 
method that determines selected account validation 
attributes; and 

the application programming interface having at least one 
method that identifies the selected account service 
associated with the selected system entry service, and 
invokes the first account method of the selected account 
service in response to a user request to determine the 
selected account validation attributes. 

11. The computer system of claim 1, further comprising: 
at least one password service included in the account 

management services, each password service associ- 
ated with at least one system entry service in a service 
association in the storage facility, and having a first 
password method that updates a current authentication 
token of the user to a new authentication token; and, 
the application programming interface having at least one 
method that identifies at least one selected password 
service associated with the selected system entry 
service, and invokes the first password method of each 
selected password service in response to the current 
authentication token of the user being expired. 

12. The computer system of claim 1, wherein the API 
methods of the application programming interface further 
comprise: 

a start transaction method that initiates a transaction and 
creates a user handle in response to data identifying the 
selected system entry service and the user's name; 

a set user handle method that updates selected data items 
in the user handle; and 

an end transaction method that terminates a transaction 
for a selected user handle. 

13. A computer system providing unified login through a 
plurality of authentication services with a single primary 
authentication token, comprising: 

a plurality of authentication services each authentication 
providing a first method that authenticates a user from 
data identifying the user and an authentication token; 
and 

a first storage facility storing a plurality of authentication 
token mappings, each authentication token mapping 
including a primary authentication token, and at least 
one secondary authentication token encrypted with the 
primary authentication token, and data specifying a 
secondary authentication service associated with the 
secondary authentication token; 

a system entry service connecting a user to the computer 
system during a session and associated with a plurality 
of authentication services, one of the plurality of 
authentication services being a primary authentication 
service, and at least one of the plurality of authentica- 
tion services being a secondary authentication service; 

an application programming interface having at least a 
first method that: 

determines the primary authentication service associ- 
ated with the system entry service, and each second- 
ary authentication service associated with the system 
entry service; 

invokes the first method of the primary authentication 
service, the first method of the primary authentica- 
tion service authenticating the user with a primary 
authentication service obtained from a user; and, 



10 



15 



20 



25 



30 



35 



invokes the first method of each secondary authentica- 
tion service, the first method of each secondary 
authentication service obtaining from the first stor- 
age facility a secondary authentication token asso- 
ciated with the secondary authentication service, 
decrypting it with the primary authentication, and 
authenticating the user with the decrypted secondary 
authentication token. 

14. The computer system of claim 13, further comprising: 
for each secondary authentication service a parameter 

value that indicates use of either encrypted secondary 
authentication tokens, or a primary authentication 
token; and, 

each secondary authentication service determines the 
parameter value, and responsive to the parameter value 
indicating use of a primary authentication token, 
authenticates the user with the primary authentication 
token. 

15. A method for providing multiple account management 
services, each account management service providing 
account management methods, to a user of a computer 
system, comprising the steps of: 

storing in a computer readable storage facility a plurality 
of associations between selected system entry services 
and selected account management services; 

connecting the user with a first system entry service to the 
computer system; 

determining from the storage facility a first account 
management service associated with the first system 
entry service; 

selectively invoking methods of the first account man- 
agement services in response to requests by the first 
system entry service or the user for selected account 
management methods. 

16. The method of claim 15, wherein the step of storing 
in a computer readable storage facility further comprises the 
step of: 

storing associations between selected ones of the system 
entry services and selected authentication services, 
each selected authentication service providing a 
method for authenticating a user. 

17. The method of claim 16, further comprising the steps 



of: 



45 



50 



of: 



55 



60 



of: 



65 



in response to connecting the user to the computer system, 
performing the steps of: 

identifying from the storage facility selected authenti- 
cation services associated with the first system entry 
service; and 

invoking each selected authentication service to 
authenticate the user. 

18. The method of claim 17, further comprising the steps 

f: 

determining whether a first selected authentication service 
successfully authenticated the user; and 

responsive to a first selected authentication service not 
successfully authenticating a user, invoking a second 
selected authentication service to authenticate the user. 

19. The method of claim 17, further comprising the steps 

f: 

determining whether a first selected authentication service 

successfully authenticated the user; 
responsive to a first selected authentication service not 

successfully authenticating a user, indicating to the first 

system entry service that the user was not successfully 

authenticated; and 
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disconnecting the user from the computer system. 

20. The method of claim 16, further comprising the steps 
of: 

for each selected authentication service, creating a user 

credential of a first user, and storing the user credential; 5 
responsive to a request by a second user to terminate the 
first system entry service, performing the steps of: 
determining whether the second user is the first user; 
responsive to the second user being the first user, for 
each selected authentication service, destroying the 
user credential. 

21. The method of claim 15, wherein the step of selec- 
tively invoking methods of the account management 
services, further comprises the steps of: 

determining whether an invoked method a first account 
management service executed successfully; 

responsive to an invoked method of a first account man- 
agement service executing successfully, invoking a 
method of a second account management service; 2 o 

responsive to the invoked method of the first account 
management service not executing successfully, deter- 
mining whether the first account management service is 
required; and 

responsive to the first management service not being 25 
required, invoking a method of a second account man- 
agement service, 

22. A method of providing unified login to multiple 
authentication services on a computer system, comprising 
the steps of: 

storing in a computer readable facility a primary authen- 
tication token associated with a primary authentication 
service, and at least one secondary authentication token 
encrypted with the primary authentication token and 
associated with a secondary authentication service; 

authenticating a user with the primary authentication 
token; 

determining whether the user was successfully authenti- 
cated; 40 

responsive to the user being successfully authenticated, 
for each secondary authentication service, performing 
the steps of: 

retrieving a secondary authentication token associated 
with the secondary authentication service from the 45 
storage facility; 

decrypting the secondary authentication token with the 
primary authentication token; and 

authenticating the user with the secondary authentica- 
tion token. 50 

23. A computer operable mechanism for controlling the 
operation of a computer system, comprising: 

a computer readable memory; 
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an application programming interface stored on the com- 
puter readable memory, having a plurality of methods, 
each method executable by the computer system and 
providing an interface to an operation of a selected 
account management service, the selected account 
management service dynamically determined by the 
application programming interface from among a plu- 
rality of stored associations in response to an invoca- 
tion of the interface of the method, each association 
identifying a system entry service and an account 
management service of a predetermined type. 

24. A computer system providing unified logout to mul- 
tiple authentication services for a user, comprising: 

at least one system entry service, each system entry 
service providing a method to connect a user to the 
computer system during a session; 

a plurality of authentication services, each authentication 
service associated with at least one system entry service 
in a service association in a storage facility, and pro- 
viding a first method that creates a user's credentials, 
and a second method that destroys the user's creden- 
tials; 

a storage facility having a plurality of services 
associations, each service association identifying a 
system entry service and at least one authentication 
service; and, 

an application programming interface mediating between 
the system entry services and the authentication 
services, the application programming interface having 
at least one method that invokes, in response to a user 
connecting to the system with a selected system entry 
service, the first method of each selected authentication 
service associated with the selected system entry ser- 
vice; and further invokes, in response to a user termi- 
nating operation of the selected system entry service, 
the second method of each selected authentication 
service. 

25. The computer system of claim 1, wherein the account 
management services include: 

a plurality of authentication services; 
at least one session service; 
at least one account service; and, 
at least one password service. 

26. The method of claim 15, wherein the account man- 
agement services include: 

a plurality of authentication services; 
at least one session service; 
at least one account service; and, 
at least one password service. 
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